Docs incompatible with ADFS OIDC provider #1280
Description
Bug Report
Problematic behavior
I was setting up docs for myself and decided to use the already setup windows server domain controller as the OIDC provider (via ADFS) for convenience. But after throwing all the services together and compose upping everything I got stuck on not being able to login. Looking into container's logs I saw this:
Container logs
backend-1 | lasuite.oidc_login.backends INFO Creating user dlvyg+PkAtlCmoJtTqbT+W8AJ743J2PaovD5oe6mrHs=
backend-1 | django.request ERROR Internal Server Error: /api/v1.0/callback/
backend-1 | Traceback (most recent call last):
backend-1 | File "/usr/local/lib/python3.13/site-packages/django/core/handlers/exception.py", line 55, in inner
backend-1 | response = get_response(request)
backend-1 | File "/usr/local/lib/python3.13/site-packages/django/core/handlers/base.py", line 197, in _get_response
backend-1 | response = wrapped_callback(request, *callback_args, **callback_kwargs)
backend-1 | File "/usr/local/lib/python3.13/site-packages/django/views/generic/base.py", line 105, in view
backend-1 | return self.dispatch(request, *args, **kwargs)
backend-1 | ~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^
backend-1 | File "/usr/local/lib/python3.13/site-packages/django/views/generic/base.py", line 144, in dispatch
backend-1 | return handler(request, *args, **kwargs)
backend-1 | File "/usr/local/lib/python3.13/site-packages/mozilla_django_oidc/views.py", line 124, in get
backend-1 | self.user = auth.authenticate(**kwargs)
backend-1 | ~~~~~~~~~~~~~~~~~^^^^^^^^^^
backend-1 | File "/usr/local/lib/python3.13/site-packages/django/views/decorators/debug.py", line 75, in sensitive_variables_wrapper
backend-1 | return func(*func_args, **func_kwargs)
backend-1 | File "/usr/local/lib/python3.13/site-packages/django/contrib/auth/__init__.py", line 114, in authenticate
backend-1 | user = backend.authenticate(request, **credentials)
backend-1 | File "/usr/local/lib/python3.13/site-packages/lasuite/oidc_login/backends.py", line 113, in authenticate
backend-1 | user = super().authenticate(request, **kwargs)
backend-1 | File "/usr/local/lib/python3.13/site-packages/mozilla_django_oidc/auth.py", line 326, in authenticate
backend-1 | return self.get_or_create_user(access_token, id_token, payload)
backend-1 | ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
backend-1 | File "/usr/local/lib/python3.13/site-packages/lasuite/oidc_login/backends.py", line 261, in get_or_create_user
backend-1 | user = self.create_user(claims)
backend-1 | File "/usr/local/lib/python3.13/site-packages/lasuite/oidc_login/backends.py", line 277, in create_user
backend-1 | user.save()
backend-1 | ~~~~~~~~~^^
backend-1 | File "/app/core/models.py", line 222, in save
backend-1 | super().save(*args, **kwargs)
backend-1 | ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
backend-1 | File "/usr/local/lib/python3.13/site-packages/django/contrib/auth/base_user.py", line 65, in save
backend-1 | super().save(*args, **kwargs)
backend-1 | ~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
backend-1 | File "/app/core/models.py", line 103, in save
backend-1 | self.full_clean()
backend-1 | ~~~~~~~~~~~~~~~^^
backend-1 | File "/usr/local/lib/python3.13/site-packages/django/db/models/base.py", line 1679, in full_clean
backend-1 | raise ValidationError(errors)
backend-1 | django.core.exceptions.ValidationError: {'sub': ['Enter a valid sub. This value may contain only letters, numbers, and @/./+/-/_/: characters.']}
After doing a bunch of research I found out that ADFS returns a hash value of a set of properties in the sub claim, which always contains a = char and sometimes others (like /, etc). And it's not possible to alter this behavior on the ADFS side as far as I understand, since it's meant to be "stable"
Expected behavior/code
ADFS OIDC Just Works™️
Steps to Reproduce
- Set up a Windows Server domain controller with ADFS as a OIDC provider
- Configure Docs to use the said DC for open id auth
- Navigate to the Docs & try to login
- After successfully loggin in & returning to the Docs observe a 500 response code & errors in the
backendcontainer's logs
Environment
- Docs version: v3.5.0
- Instance url: private
Possible Solution
Update validations for the sub property to allow usage of =, / and other special characters that may appear in the sub claim